Firewall Wizards mailing list archives
Re: IP over DNS.
From: Ryan Russell <ryan () securityfocus com>
Date: Tue, 12 Sep 2000 11:09:08 -0700 (PDT)
On Tue, 12 Sep 2000, Darren Reed wrote:
The biggest problem is that without doing bad things to DNS*, you can't stop this from being setup without putting in place a full proxy based firewall. Why ? In order for a packet filter firewall to work, hosts inside need to be able to get outside address information and that's what we need to deny people in order to stop the above.
You mean a non-transparent proxy? That's the only type that will help
with this. A transparent proxt will have the same problem. You could
make a non-transparent SPF if you wanted, but that would be a pretty
strange thing to do.
It's a bit of a moot point though... most everyone here knows that you can
tunnel any protocol over any other, as long as timing is not
critical. HTTP makes a much more universal tunnel. You can buy VPNs that
will run over HTTP, such as VTCP/Secure from Infoexpress.
Ryan
_______________________________________________
Firewall-wizards mailing list
Firewall-wizards () nfr net
http://www.nfr.net/mailman/listinfo/firewall-wizards
Current thread:
- IP over DNS. Darren Reed (Sep 12)
- Re: IP over DNS. Ryan Russell (Sep 13)
- Re: IP over DNS. Mikael Olsson (Sep 13)
- Re: IP over DNS. Matt Cramer (Sep 13)
- Re: IP over DNS. Darren Reed (Sep 16)
- <Possible follow-ups>
- Re: IP over DNS. Alex Goldney (Sep 13)
- Re: IP over DNS. Darren Reed (Sep 13)
- RE: IP over DNS. Frank Knobbe (Sep 16)
- RE: IP over DNS. Bill_Royds (Sep 18)
- Re: IP over DNS. Darren Reed (Sep 19)